I have postfix + spamassassin.
Spamassassin suppose to check the SPF of the sender, but I received following spam:
[email protected] = this is the email on my postfix
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
astra4450.dedicatedpanel.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.4 required=5.0 tests=BAYES_00,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_SBL,SPF_HELO_PASS,SPF_PASS,
TO_IN_SUBJ,TVD_PH_BODY_ACCOUNTS_PRE,T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED,
URIBL_DBL_MALWARE,URIBL_PH_SURBL,URIBL_SBL,URIBL_SBL_A autolearn=no
autolearn_force=no version=3.4.0
Delivered-To: [email protected]
Received: from mail.hostify.vn (mail.hostify.vn [150.95.110.152])
by mx6.example.com (Postfix) with ESMTPS id A0C74100F20F14
for <[email protected]>; Wed, 13 Dec 2023 03:26:58 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
by mail.hostify.vn (Postfix) with ESMTP id 0FFB9166DF7
for <[email protected]>; Wed, 13 Dec 2023 08:26:57 +0700 (+07)
Received: from mail.hostify.vn ([127.0.0.1])
by localhost (mail.hostify.vn [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id EaHftMvBvz9k for <[email protected]>;
Wed, 13 Dec 2023 08:26:56 +0700 (+07)
Received: from localhost (localhost [127.0.0.1])
by mail.hostify.vn (Postfix) with ESMTP id 9CEAE167AA0
for <[email protected]>; Wed, 13 Dec 2023 08:26:56 +0700 (+07)
X-Virus-Scanned: amavisd-new at hostify.vn
Received: from mail.hostify.vn ([127.0.0.1])
by localhost (mail.hostify.vn [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id Y2hw8khgynlj for <[email protected]>;
Wed, 13 Dec 2023 08:26:56 +0700 (+07)
Received: from [88.209.206.208] (unknown [88.209.206.208])
by mail.hostify.vn (Postfix) with ESMTPSA id 9CF741675DA
for <[email protected]>; Wed, 13 Dec 2023 08:26:55 +0700 (+07)
From: Admin Helpdesk <[email protected]>
To: [email protected]
Subject: Password Verification For [email protected]
Date: 12 Dec 2023 17:26:54 -0800
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0012_CFC45DD6.E88DD181"
From what I can conclude, the SPF for [email protected] was correct and sender is "spoofed" in the header as [email protected]
However there is no way SPF for [email protected] to be correct.
Today I installed some tool called pypolicyd-spf, but as long as I was able to check, it also check only mail from: SMTP command and not email headers.
Am I missing something or may be using wrong tool for the job?
This is how SPF is supposed to work. From the Introduction of Sender Policy Framework (SPF) (RFC 7208, 1):
DMARC (RFC 7489) on the other hand enables the sender to publish policies on how they want receivers to handle messages where the
Fromheader is not aligned with either the envelope sender (MAIL FROM) passing SPF or a valid DKIM signature.Lets suppose following:
It turns out SPF should be check only on From: field from SMTP connection, e.g. [2].
Often this is same as Return-Path.
Sometimes SPF checks the helo domain [1].
However the from: header from the email [3] is never checked.
This means everybody can spoof the sender like this.
In order to mitigate your own domain, you can do DMARC and specify that both addresses must be the same.
In order to mitigate this for domains that you do not own, you can increase the following scores in /etc/mail/spamassassin/local.cf
Please note this is bit risky, because sometimes some domains are configured non 100% correctly.